A new FROST attack demonstrates how researchers can fingerprint your browsing and app activity by measuring SSD timing through a browser API, with no permissions or user interaction required. FROST stands for Fingerprinting Remotely using OPFS-based SSD Timing, and it represents the first remote exploitation of the Origin Private File System (OPFS) to leak sensitive information directly from JavaScript running in your browser.
Key Takeaways
- FROST exploits OPFS, a browser file system API, to measure SSD contention without permissions or prompts.
- The attack works on Chrome, Firefox, and Safari across Linux and macOS systems.
- Researchers use a trained neural network to classify SSD timing patterns and identify user activity.
- No visible indicators alert users—OPFS files are hidden from view with no Safe Browsing checks.
- The attack can identify which websites are open in tabs and which apps are running on your device.
How the FROST Attack Actually Works
The FROST attack exploits a subtle vulnerability in how browsers handle file system access. When you visit a compromised website, the attacker’s JavaScript creates a large file in OPFS—your browser’s sandboxed file storage—without any special permissions. The code then continuously performs random reads from that file while measuring how long each read takes. When you use other applications or browse other sites, your operating system’s SSD becomes busier, creating contention that measurably slows down the attacker’s read operations. By analyzing these timing variations, the attack can infer what you’re doing.
The researchers weaponized this timing data using a pretrained convolutional neural network trained to recognize patterns in SSD latency. The model learns to distinguish between different types of activity—opening a specific app, switching between browser tabs, or loading a website—based purely on how the SSD’s performance fluctuates. Since OPFS is invisible to users and generates no permission prompts or Safe Browsing warnings, victims have no way to know they’re being monitored.
Why FROST Matters: A New Category of Browser Threat
Previous SSD contention attacks required running code outside the browser, on the operating system itself. FROST breaks that barrier by executing entirely within the browser sandbox, making it dramatically more accessible to attackers. Any website you visit can deploy this attack without special software or system-level access. The threat is amplified because OPFS is supported across the three major browser engines: Chrome, Firefox, and Safari. This isn’t a niche vulnerability affecting one browser—it’s a fundamental weakness in how modern browsers handle file system access.
What makes FROST particularly dangerous is the absence of user friction. Traditional attacks require victims to download something, grant permissions, or interact with suspicious prompts. FROST needs none of that. You simply visit a website, and the fingerprinting begins immediately. The attacker learns not just what you’re doing in that browser tab, but what other applications are running on your entire system. A news site could identify that you’re running a medical app. A competitor’s website could detect that you’re also visiting their rival. A malicious ad network could correlate your browsing across multiple sites by linking activity patterns.
FROST vs. Previous Side-Channel Attacks
Side-channel attacks have existed for years, but they’ve historically required either physical access to a device or the ability to run code at the operating system level. Researchers have previously exploited SSD contention to infer activity, but those attacks operated outside the browser, limiting their reach. FROST collapses that boundary. By weaponizing OPFS—a legitimate browser feature designed to help web applications store data offline—the attack gains the distribution advantage of the web itself. Any attacker with a website can deploy it. No malware installation needed. No system compromise required.
The comparison also highlights why OPFS was attractive to attackers in the first place. Unlike older browser storage APIs, OPFS provides persistent file access without requiring user interaction, making it ideal for measuring SSD contention over time. The files persist on your actual file system, allowing the attacker to maintain consistent measurements across browser sessions.
Which Systems and Browsers Are Vulnerable?
The researchers demonstrated FROST on Linux and macOS systems. Chrome, Firefox, and Safari all support OPFS, meaning users of these browsers across both operating systems face exposure. The research brief does not specify whether Windows systems are affected by the attack as tested, leaving that question open. What’s clear is that the vulnerability spans multiple browsers and operating systems, making it a broad security concern rather than an isolated edge case.
What Should Users Do Right Now?
There is no simple user-level fix for FROST. You cannot disable OPFS without breaking legitimate offline functionality in web applications. Browser vendors will need to implement mitigations—either restricting OPFS access, adding permission prompts, or introducing timing noise that degrades the attack’s accuracy. Until those changes arrive, the attack remains possible on vulnerable systems.
The immediate lesson is that browser APIs designed for convenience can become vectors for abuse. OPFS was created to help web applications work offline, a genuinely useful feature. But like many powerful APIs, it carries security tradeoffs that users rarely understand. The FROST attack exposes a gap between what users think browsers can do and what they actually can do.
Can Websites Really Identify Me Accurately?
Yes, within limits. The researchers trained a neural network to classify activity patterns, and the model can distinguish between different applications and websites based on SSD timing alone. However, the attack’s accuracy depends on how distinctive the activity pattern is—opening Spotify will create different SSD behavior than opening a text editor. The attack is most reliable when monitoring activity with consistent, recognizable patterns. Rapid context-switching or simultaneous activity from multiple applications may degrade accuracy, though the research brief does not specify exact accuracy figures.
Is This Attack Already Being Used in the Wild?
The research brief does not confirm whether FROST is currently deployed on live websites or being exploited in active attacks. The attack was demonstrated by security researchers as a proof of concept. The fact that it’s now public means defenders are aware of the threat and can begin implementing mitigations, but it also means attackers have a roadmap. Historically, once a proof-of-concept exploit is published, deployment follows within months.
Final Verdict
The FROST attack is a reminder that security in modern browsers is a layered problem, and convenience often wins out over privacy by default. OPFS is genuinely useful for offline web applications, but its design—allowing persistent file access without permissions—creates an exploitable side channel. The attack works silently, requires no user interaction, and spans three major browsers. Until browser vendors patch this vulnerability, assume that visiting a malicious website could leak information about what else you’re doing on your device. This is not a flaw in your setup or a user error—it’s a fundamental design issue that requires vendor-level fixes.
Edited by the All Things Geek team.
Source: Tom's Hardware
